Move site configs from conf.d to sites-enabled

FIX: Track data/sites-available/ & data/sites-enabled/
Set defaults for directives add_header and proxy_set_header
2026-03-21 09:53:35 +00:00 · 2026-03-21 09:52:23 +00:00 · 2026-03-21 09:48:26 +00:00 · 2026-03-21 09:35:02 +00:00 · 2026-03-21 09:33:20 +00:00 · 2026-03-21 09:28:08 +00:00
26 changed files with 712 additions and 576 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,18 @@
 .env
-/data/
+
-/certbot/
+certbot/
-/goaccess/
+
-/data/public/
+goaccess/
-!/data/nginx.conf
+!goaccess/goaccess.conf
-!/data/conf.d/**
+
-!/goaccess/goaccess.conf
+data/
 # data/public/
 # data/conf.d/
 # data/logs/
 # data/logs-VCOMBINED/
 !data/nginx.conf
 !data/sites-available/**
 !data/sites-enabled/**
 # !data/conf.d/** # Configurations exist in nginx.conf and site confs
 !data/sites-enabled
--- a/data/conf.d/drone.conf
+++ b/data/conf.d/drone.conf
@@ -1,63 +0,0 @@
 upstream drone_backend {
    server drone:80;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
 server {
    listen 80;
    server_name drone.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl;
    server_name drone.novicelab.io;
    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    # Logging
    access_log /var/log/nginx/drone.novicelab.io_access.log;
    error_log /var/log/nginx/drone.novicelab.io_error.log;
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # set $drone_backend drone:80;
    location / {
        proxy_pass http://drone_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        send_timeout 300;
    }
 }
--- a/data/conf.d/hugo.conf
+++ b/data/conf.d/hugo.conf
@@ -1,93 +0,0 @@
 upstream hugo_backend {
    # server hugo:1313;
    server 10.0.0.250:8000;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
 # # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name novicelab.io www.novicelab.io x.y.novicelab.io; 
    # ACME challenge for Let's Encrypt certificate renewal
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
 }
 server {
    listen 443 ssl; 
    listen [::]:443 ssl; #
    server_name novicelab.io www.novicelab.io x.y.novicelab.io;
    # SSL Certificate paths
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    # OCSP Stapling
    # ssl_stapling on;
    # ssl_stapling_verify on;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    # Diffie-Hellman parameter for DHE ciphersuites
    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    # Logging
    access_log /var/log/nginx/novicelab.io_access.log json_combined;
    error_log /var/log/nginx/novicelab.io_error.log debug;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # set $hugo_backend hugo:1313; 
    location / {
        # proxy_pass http://10.0.0.250:8000/;
        proxy_pass http://hugo_backend;
        proxy_set_header Host $host;
        # proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header   X-Real-IP $http_cf_connecting_ip;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; # $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_buffering off;
        proxy_set_header Referer $http_referer;
        proxy_redirect off;
        proxy_set_header Cookie $http_cookie;
    }
 }
--- a/data/conf.d/wopi.conf
+++ b/data/conf.d/wopi.conf
@@ -1,43 +0,0 @@
 server {
    listen 80;
    server_name wopi.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl; # http2;
    server_name wopi.novicelab.io;
    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # set $opencloud_backend 10.0.0.251:9300;
    location / {
        proxy_pass              http://10.0.0.251:9300;
        #proxy_pass         http://$opencloud_backend/;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        # Headers for WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 }
--- a/data/nginx.conf
+++ b/data/nginx.conf
@@ -3,25 +3,36 @@ worker_processes auto;
 error_log /var/log/nginx/error.log warn;
 pid /var/run/nginx.pid;
 # Load modules
 include              /etc/nginx/modules-enabled/*.conf;
 events {
    worker_connections 1024;
    use epoll;
    multi_accept on;
 }
 http {
    # MIME
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
-    keepalive_timeout 65;
+    charset                utf-8;
-    keepalive_requests 100000;
+    sendfile               on;
-
+    tcp_nopush             on;
-    variables_hash_max_size 2048;
+    tcp_nodelay            on;
    server_names_hash_bucket_size 128;
    server_tokens          off;
-    resolver 8.8.8.8 valid=30s ipv6=off;
+    log_format main      '$remote_addr - $remote_user [$time_local] '
-    resolver_timeout 11s;
+                         '"$request" $status $bytes_sent '
                         '"$http_referer" "$http_user_agent" '
                         '"$gzip_ratio"';
    log_format cloudflare '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" $http_cf_ray $http_cf_connecting_ip '
                          '$http_x_forwarded_for $http_x_forwarded_proto ' 
                          '$http_true_client_ip $http_cf_ipcountry '
                          '$http_cf_visitor $http_cdn_loop';
    log_format json_combined escape=json '{'
        '"method":"$request_method",'
@@ -40,49 +51,87 @@ http {
        '"timestamp":"$time_iso8601",'
        '"ip":"$http_x_forwarded_for"'
    '}';
    # log_format VCOMBINED '$host:$server_port '
    #                  '$remote_addr $remote_user [$time_local] '
    #                  '"$request" $status $body_bytes_sent '
    #                  '"$http_referer" "$http_user_agent"';
    # track every client request and are vital for traffic analysis and performance monitoring.
    access_log  /var/log/nginx/access.log json_combined;
    # capture internal server issues and help with troubleshooting.
    error_log   /var/log/nginx/error.log debug;
-    sendfile on;
+    # SSL
-    tcp_nopush on;
+    # Mozilla Intermediate configuration
    tcp_nodelay on;
    types_hash_max_size 2048;
    # Important for MinIO
    client_max_body_size 0;
    proxy_buffering off;
    proxy_request_buffering off;
    # Increase the buffer for the request line and headers
    client_header_buffer_size 16k;
    large_client_header_buffers 4 32k;
    # If using Nginx as a proxy to the Harbor core/registry
    proxy_buffer_size          128k;
    proxy_buffers              4 256k;
    proxy_busy_buffers_size    256k;
    proxy_connect_timeout 300;
    proxy_send_timeout 300;
    proxy_read_timeout 300;
    # Add extra headers
    add_header X-Frame-Options DENY;
    add_header Content-Security-Policy "frame-ancestors 'none'";
    # SSL Settings
    ssl_protocols          TLSv1.2 TLSv1.3;
-    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_ciphers            ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
+    # enable session resumption to improve https performance
    ssl_session_timeout    10m;
    ssl_session_cache      shared:SSL:10m;
    ssl_session_tickets    off;
    # Diffie-Hellman parameter for DHE ciphersuites
    # ssl_dhparam            /etc/nginx/dhparam.pem;
    # OCSP Stapling 
    # ssl_stapling           on;
    # ssl_stapling_verify    on;
    resolver               127.0.0.11 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout       2s;
    #       CONTROL RESOURCES AND LIMITS / CONTROLLING BUFFER OVERFLOW ATTACKS
    # specify the client request body buffer size; default 8k/16k
    client_body_buffer_size 1k;
    # sets the headerbuffer size for the request header from client.
    # 1K sufficient for most requests. 
    # Increase this if you have a custom header or a large cookie sent from the client (e.g., wap client).
    client_header_buffer_size 1k;
    # assigns the maximum accepted body size of client request, indicated by the line Content-Length in the header of request. 
    # If size is greater the given one, then the client gets the error “Request Entity Too Large” (413). 
    # Increase this when you are getting file uploads via the POST method. e.g harbor image push, minio uploads
    client_max_body_size 1k;
    # assigns the maximum number and size of buffers for large headers to read from client request. 
    # By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K, 
    # if at the end of working request connection converts to state keep-alive, 
    # then these buffers are freed. 2x1k will accept 2kB data URI. 
    # This will also help combat bad bots and DoS attacks. 
    large_client_header_buffers 4 4k;
    client_header_timeout  60;
    client_body_timeout    60;
    send_timeout           60;
    #       PROXY BUFFERING
    # NGINX stores the response from a server in internal buffers as it comes in, 
    # and doesn't start sending data to the client until the entire response is buffered
    # With proxy_buffering disabled, data received from the server is immediately relayed by NGINX, 
    # allowing for minimum Time To First Byte (TTFB). 
    # TLDR - Buffering is needed to ensure that the upstream server can be set free after delivering the response to NGINX, 
    #        and NGINX will proceed to deliver the response to the slow client.
    proxy_buffering off; # for a single server setup (SSL termination of Varnish), where no caching is done in NGINX itself
    # Defines the amount of memory that NGINX will allocate for each request to the proxied server. 
    # This small chunk of memory will be used for reading and storing the tiny fraction of response – the HTTP headers.
    # tuning solves the upstream sent too big header while reading response header from upstream error.
    proxy_buffer_size 8k; # defaults: 4k/8k, should be enough for most PHP websites, or adjust as above
    # size of buffers, in kilobytes, which can be used for delivering the response to clients 
    # while it was not fully read from the upstream server.
    proxy_busy_buffers_size 16k; # essentially, proxy_buffer_size + 2 small buffers of 4k
    # The rule of thumb with this setting is that while we make use of buffering, 
    # it is best that the complete response from upstream can be held in memory, to avoid disk I/O.
    proxy_buffers 8 4k; # Default: 8 4k|8k; should be enough for most PHP websites, adjust as above to get an accurate value
    # Time to establish TCP connection
    # Increase only if your app has slow endpoints
    proxy_connect_timeout 60s;
    # Time between successive writes to upstream
    proxy_send_timeout 60;
    # Time between successive reads from upstream
    proxy_read_timeout 60;
    # Gzip Settings
    gzip on;
@@ -91,7 +140,7 @@ http {
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
    # Include all server configurations
-    include /etc/nginx/conf.d/*.conf;
+    # include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
 }
--- a/data/sites-enabled/adminer.conf
+++ b/data/sites-enabled/adminer.conf
@@ -1,12 +1,9 @@
 upstream adminer_backend {
    server adminer:8080;
    # Keep up to 16 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
@@ -29,31 +26,22 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name adminer.novicelab.io;
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-    
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/adminer.novicelab.io_access.log json_combined;
@@ -63,9 +51,13 @@ server {
    location / {
        proxy_pass http://adminer_backend;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
    }
 }
--- a/data/sites-enabled/auth.conf
+++ b/data/sites-enabled/auth.conf
@@ -1,12 +1,9 @@
 upstream keycloak_backend {
    server keycloak:80; 
-
+    # Keep up to 16 idle connections per worker
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
@@ -29,35 +26,23 @@ server {
 server {
    listen 443 ssl; 
-    listen [::]:443 ssl; #
+    listen [::]:443 ssl;
    http2 on;
    server_name auth.novicelab.io;
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/auth.novicelab.io_access.log json_combined;
@@ -66,20 +51,20 @@ server {
    # set $keycloak_backend keycloak:80; 
    location / {
        # proxy_pass http://10.0.0.253:8085/auth/;
        proxy_pass http://keycloak_backend;
        proxy_set_header Host               $host;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  https;
        proxy_set_header X-Forwarded-For    $remote_addr;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme; #https;
        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
        proxy_set_header Accept-Encoding ""; 
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_http_version 1.1;
    }
 }
--- a/data/sites-enabled/book.conf
+++ b/data/sites-enabled/book.conf
@@ -1,13 +1,9 @@
 upstream bookstack_backend {
    # server 10.0.0.251:6875/;
    server bookstack:80;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
@@ -31,34 +27,22 @@ server {
 server {
    listen 443 ssl; 
    listen [::]:443 ssl; 
    http2 on;
    server_name book.novicelab.io;
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/book.novicelab.io_access.log json_combined;
@@ -68,9 +52,13 @@ server {
    location / {
        proxy_pass http://bookstack_backend;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme; #https;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
    }
 }
--- a/data/sites-enabled/cluster.conf
+++ b/data/sites-enabled/cluster.conf
@@ -8,34 +8,22 @@ upstream haproxy_backend {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name *.novicelab.io;
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/*.novicelab.io_access.log json_combined;
@@ -44,16 +32,23 @@ server {
    location / {
        proxy_pass http://10.0.0.20:80;
        # proxy_pass http://haproxy_backend;
-        proxy_http_version 1.1;
+        
        proxy_set_header Connection "";
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme; #https;
        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        # Performance optimizations
        proxy_buffering off;
        proxy_request_buffering off;
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
--- a/data/sites-enabled/drone.conf
+++ b/data/sites-enabled/drone.conf
@@ -0,0 +1,68 @@
 upstream drone_backend {
    server drone:80;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
 server {
    listen 80;
    server_name drone.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name drone.novicelab.io;
    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/drone.novicelab.io_access.log;
    error_log /var/log/nginx/drone.novicelab.io_error.log;
    # set $drone_backend drone:80;
    location / {
        proxy_pass http://drone_backend;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme; #https;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        send_timeout 300;
    }
 }
--- a/data/sites-enabled/gitea.conf
+++ b/data/sites-enabled/gitea.conf
@@ -13,27 +13,14 @@ upstream gitea_backend {
 server {
    listen 443 ssl; 
-    listen [::]:443 ssl; #
+    listen [::]:443 ssl;
    http2 on;
    server_name gitea.novicelab.io;  
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -42,6 +29,7 @@ server {
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/gitea.novicelab.io_access.log json_combined;
@@ -51,10 +39,14 @@ server {
    location / {
        proxy_pass http://gitea_backend;
-        proxy_set_header Host $http_host;
+
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme; #https;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
--- a/data/sites-enabled/goaccess.conf
+++ b/data/sites-enabled/goaccess.conf
@@ -33,20 +33,24 @@ map $http_upgrade $connection_upgrade {
 # Server block for GoAccess dashboard
 server {
-    listen 443 ssl; # http2;
+    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name goaccess.novicelab.io;
-    # SSL configuration
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    ssl_session_timeout 1d;
+    # Security Headers
-    ssl_session_cache shared:SSL:10m;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-    ssl_session_tickets off;
+    add_header X-Frame-Options "SAMEORIGIN" always;
-    ssl_protocols TLSv1.3;
+    add_header X-Content-Type-Options "nosniff" always;
-
+    add_header X-XSS-Protection "1; mode=block" always;
-    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    resolver_timeout 5s;
+    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
        # Logging
    access_log /var/log/nginx/goaccess.novicelab.io_access.log json_combined;
@@ -63,10 +67,14 @@ server {
    location /ws {
        proxy_pass http://$goaccess_backend;
-        proxy_set_header Host $http_host;
+        
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme; #https;
        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
 		#enable ws upgrade
 		proxy_http_version 1.1;
--- a/data/sites-enabled/harbor.conf
+++ b/data/sites-enabled/harbor.conf
@@ -1,39 +1,27 @@
-# upstream harbor_backend {
+upstream harbor_backend {
-#     server nginx-harbor:80; 
+    # server harbor-nginx:8080; # Harbor is in its own network
-# 
+    server 10.0.0.250:3200; 
-#     # Keep up to 32 idle connections per worker
+
-#     keepalive 16;
+    # Keep up to 32 idle connections per worker
-# 
+    keepalive 16;
-#     # Maximum time a connection can be idle
+
-#     keepalive_timeout 60s;
+    # Maximum time a connection can be idle
-# 
+    keepalive_timeout 60s;
-#     # Maximum requests per keepalive connection
+
-#     keepalive_requests 100;
+    # Maximum requests per keepalive connection
-# }
+    keepalive_requests 100;
 }
 server {
-    listen 443 ssl; #http2;
+    listen 443 ssl;
-    listen [::]:443 ssl; # http2;
+    listen [::]:443 ssl;
    http2 on;
    server_name harbor.novicelab.io;
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -42,13 +30,14 @@ server {
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/harbor.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/harbor.novicelab.io_error.log debug;
-    # set $harbor_backend 10.0.0.251:9090; 
+    # set $harbor_backend 10.0.0.251:3200; 
-    set $harbor_backend nginx-harbor:80; 
+    # set $harbor_backend harbor-nginx:8080; 
    client_max_body_size 0;
@@ -59,8 +48,15 @@ server {
    chunked_transfer_encoding on;
    location / {
-        proxy_pass http://$harbor_backend;
+        proxy_pass http://harbor_backend;
-        proxy_set_header Host $http_host;
+
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme; #https;
        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
        # WebSocket support for real-time updates
        proxy_http_version 1.1;
@@ -96,12 +92,14 @@ server {
    location /v2/ {
        # Do not allow Nginx to add/remove trailing slashes here
-        proxy_pass http://$harbor_backend;
+        proxy_pass http://harbor_backend;
        proxy_set_header Host $http_host; # Important for Registry
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_set_header X-Forwarded-Port  $server_port;
        # Increase body size for image uploads
        client_max_body_size 0; 
--- a/data/sites-enabled/hugo.conf
+++ b/data/sites-enabled/hugo.conf
@@ -0,0 +1,82 @@
 upstream hugo_backend {
    server hugo:1313;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
 # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name novicelab.io www.novicelab.io; 
    # ACME challenge for Let's Encrypt certificate renewal
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
 }
 # Redirect www to non-www
 server {
    listen                  443 ssl;
    listen                  [::]:443 ssl;
    http2 on;
    server_name             www.novicelab.io;
    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # logging
    error_log               /var/log/nginx/error.log debug;
    return                  301 https://novicelab.io$request_uri;
 }
 server {
    listen 443 ssl; 
    listen [::]:443 ssl;
    http2 on;
    server_name novicelab.io;
    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # Security Headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/novicelab.io_access.log json_combined;
    error_log /var/log/nginx/novicelab.io_error.log debug;
    # set $hugo_backend hugo:1313; 
    location / {
        proxy_pass http://hugo_backend;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
    }
 }
--- a/data/sites-enabled/kimai.conf
+++ b/data/sites-enabled/kimai.conf
@@ -0,0 +1,58 @@
 # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name kimai.novicelab.io;
    # ACME challenge for Let's Encrypt certificate renewal
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
 }
 server {
    listen 443 ssl; 
    listen [::]:443 ssl;
    http2 on;
    server_name kimai.novicelab.io;
    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/kimai.novicelab.io_access.log;
    error_log /var/log/nginx/kimai.novicelab.io_error.log;
    set $kimai_backend kimai:8001; 
    location / {
        proxy_pass http://10.0.0.250:8400;
        # proxy_pass http://$kimai_backend;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme; #https;
        # proxy_set_header  X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
    }
    # Redirect HTTP to HTTPS, in case an invalid (plain HTTP) request was sent to port 443
    error_page 497 https://$host:$server_port$request_uri;
 }
--- a/data/sites-enabled/mailcow.conf
+++ b/data/sites-enabled/mailcow.conf
@@ -6,20 +6,23 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name mailcow.novicelab.io;
    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    ssl_session_timeout 1d;
    # ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
-    # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
+    # Security Headers
-    # An example config is given below
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-    # ssl_protocols TLSv1.2;
+    add_header X-Frame-Options "SAMEORIGIN" always;
-    ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
+    add_header X-Content-Type-Options "nosniff" always;
-    ssl_prefer_server_ciphers off;
+    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/mailcow.novicelab.io_access.log;
--- a/data/sites-enabled/minio.conf
+++ b/data/sites-enabled/minio.conf
@@ -1,25 +1,19 @@
 upstream minio_backend {
    server minio:9001;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
 upstream s3_backend {
    server minio:9000; 
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
@@ -32,27 +26,14 @@ server {
 server {
    listen 443 ssl; 
-    listen [::]:443 ssl; #
+    listen [::]:443 ssl; 
    http2 on;
    server_name minio.novicelab.io; 
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -61,15 +42,14 @@ server {
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/minio.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/minio.novicelab.io_error.log debug;
    # resolver 127.0.0.11 valid=30s;
    # set $minio_backend minio:9001; 
    location / {
        proxy_pass http://minio_backend;
        proxy_set_header Host $host;
@@ -89,7 +69,7 @@ server {
        proxy_read_timeout 300;
        send_timeout 300;
-        client_max_body_size 0;
+        client_max_body_size 500M;
    }
 }
@@ -102,26 +82,13 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl; 
    http2 on;
    server_name s3.novicelab.io; 
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -130,16 +97,17 @@ server {
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/s3.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/s3.novicelab.io_error.log debug;
    # resolver 127.0.0.11 valid=30s;
    # set $s3_backend minio:9000; 
    location / {
        proxy_pass http://s3_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/data/sites-enabled/mkdocs.conf
+++ b/data/sites-enabled/mkdocs.conf
--- a/data/sites-enabled/opencloud.conf
+++ b/data/sites-enabled/opencloud.conf
@@ -1,12 +1,9 @@
 upstream opencloud_backend {
-    server 10.0.0.251:9200;
+    server 10.0.0.250:9200;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
@@ -18,25 +15,29 @@ server {
 }
 server {
-    listen 443 ssl; # http2;
+    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name opencloud.novicelab.io;
    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+
-    ssl_session_cache   shared:SSL:10m;
+    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/opencloud.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/opencloud.novicelab.io_error.log debug;
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    client_max_body_size 10M;
    # Disable buffering - essential for SSE
@@ -50,17 +51,13 @@ server {
    keepalive_timeout 5m;
    http2_max_concurrent_streams 512;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # set $opencloud_backend 10.0.0.251:9200;
    # Prevent nginx from trying other upstreams
    proxy_next_upstream off;
    location / {
-        # Pass all other requests to CouchDB
+        proxy_pass              http://opencloud_backend;
        proxy_pass              http://10.0.0.250:9200;
        # proxy_pass         http://opencloud_backend/;
        proxy_set_header        Host $host;
--- a/data/sites-enabled/opencloud_collabora.conf
+++ b/data/sites-enabled/opencloud_collabora.conf
@@ -0,0 +1,75 @@
 upstream collabora_backend {
    server 10.0.0.250:9980;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
 server {
    listen 80;
    server_name collabora.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name collabora.novicelab.io;
    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/opencloud_collabora.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/opencloud_collabora.novicelab.io_error.log debug;
    client_max_body_size 10M;
    # Disable buffering - essential for SSE
    proxy_buffering off;
    proxy_request_buffering off;
    # Extend timeouts for long connections
    proxy_read_timeout 3600s;
    proxy_send_timeout 3600s;
    keepalive_requests 100000;
    keepalive_timeout 5m;
    http2_max_concurrent_streams 512;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # set $collabora_backend 10.0.0.251:9980;
    # Prevent nginx from trying other upstreams
    proxy_next_upstream off;
    location / {
        proxy_pass              http://collabora_backend;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        # Headers for WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 }
--- a/data/sites-enabled/opencloud_wopi.conf
+++ b/data/sites-enabled/opencloud_wopi.conf
@@ -0,0 +1,58 @@
 upstream wopi_backend {
    server 10.0.0.250:9300;;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
 server {
    listen 80;
    server_name wopi.novicelab.io;
    return 301 https://$host$request_uri;
 }
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name wopi.novicelab.io;
    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/opencloud_wopi.novicelab.io_access.log json_combined;
    error_log /var/log/nginx/opencloud_wopi.novicelab.io_error.log debug;
    # set $wopi_backend 10.0.0.251:9300;
    location / {
        # proxy_pass              http://10.0.0.250:9300;
        proxy_pass         http://wopi_backend/;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        # Headers for WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 }
--- a/data/sites-enabled/plane.conf
+++ b/data/sites-enabled/plane.conf
@@ -46,26 +46,13 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl; 
    http2 on;
    server_name plane.novicelab.io; 
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -74,6 +61,7 @@ server {
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/plane.novicelab.io_access.log json_combined;
@@ -88,7 +76,7 @@ server {
    set $backend_minio  minio:9000;
-    client_max_body_size 0;
+    # client_max_body_size 0;
    # Set the bucket name as a variable for the regex location
    set $bucket_name "plane";
@@ -172,7 +160,7 @@ server {
            return 204;
        }
-        client_max_body_size 0;
+        client_max_body_size 20M;
        # proxy_pass https://s3.novicelab.io/plane;
    }
--- a/data/sites-enabled/portainer.conf
+++ b/data/sites-enabled/portainer.conf
@@ -0,0 +1,65 @@
 upstream portainer_backend {
    server portainer:9000;
    keepalive 16;
    keepalive_timeout 60s;
    keepalive_requests 100;
 }
 # Redirect HTTP to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name portainer.novicelab.io;
    # ACME challenge for Let's Encrypt certificate renewal
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
 }
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name portainer.novicelab.io;
    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/portainer.novicelab.io_access.log;
    error_log /var/log/nginx/portainer.novicelab.io_error.log;
    # set $portainer_backend portainer:9000; 
    location / {
        proxy_pass http://portainer_backend;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme; #https;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host   $http_host;
        proxy_set_header X-Forwarded-Port   $server_port;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_http_version 1.1;
    }
 }
--- a/data/sites-enabled/umami.conf
+++ b/data/sites-enabled/umami.conf
@@ -1,12 +1,9 @@
 upstream umami_backend {
    server umami:3000;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
@@ -28,28 +25,15 @@ server {
 }
 server {
-    listen 443 ssl; #http2;
+    listen 443 ssl;
-    listen [::]:443 ssl; # http2;
+    listen [::]:443 ssl;
    http2 on;
    server_name umami.novicelab.io;
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -58,6 +42,7 @@ server {
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/umami.novicelab.io_access.log json_combined;
@@ -66,54 +51,38 @@ server {
    # set $umami_backend umami:3000; 
    location / {
        # proxy_pass http://$umami_backend;
        proxy_pass http://umami_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Proto $scheme; #https ;
        proxy_set_header X-Forwarded-Host $host;
-        proxy_buffering off;
+        # WebSocket support for real-time dashboard
-        proxy_set_header Referer $http_referer;
+        proxy_http_version 1.1;
-        proxy_redirect off;
+        proxy_set_header Upgrade $http_upgrade;
-
+        proxy_set_header Connection "upgrade";
        proxy_set_header Cookie $http_cookie;
    }
        # 1. Allow public access to tracking scripts
    location ~ ^/(script\.js|umami\.js)$ {
        # proxy_pass http://$umami_backend;
        proxy_pass http://umami_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https; # $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme; #https ;
        proxy_set_header X-Forwarded-Host $host;
        proxy_buffering off;
        proxy_set_header Referer $http_referer;
        proxy_redirect off;
        proxy_set_header Cookie $http_cookie;
    }
    # 2. Allow public access to tracking API (metrics collection)
    location /api/send {
        # proxy_pass http://$umami_backend;
        proxy_pass http://umami_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto https; # $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme; #https ;
        proxy_set_header X-Forwarded-Host $host;
        proxy_buffering off;
        proxy_set_header Referer $http_referer;
        proxy_redirect off;
        proxy_set_header Cookie $http_cookie;
    }
 }
--- a/data/sites-enabled/vault.conf
+++ b/data/sites-enabled/vault.conf
@@ -1,12 +1,9 @@
 upstream vault_backend {
    server 10.0.0.250:8090;
    # Keep up to 32 idle connections per worker
    keepalive 16;
    # Maximum time a connection can be idle
    keepalive_timeout 60s;
    # Maximum requests per keepalive connection
    keepalive_requests 100;
 }
@@ -28,28 +25,15 @@ server {
 }
 server {
-    listen 443 ssl; #http2;
+    listen 443 ssl;
-    listen [::]:443 ssl; # http2;
+    listen [::]:443 ssl;
    http2 on;
    server_name vault.novicelab.io; 
-    # SSL Certificate paths
+    # SSL
    ssl_certificate /etc/letsencrypt/live/novicelab.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
-
+    ssl_trusted_certificate /etc/letsencrypt/live/novicelab.io/chain.pem;
    # SSL Protocol - TLS 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    # Cipher suites (prioritize TLS 1.3, secure TLS 1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    # SSL session configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -58,6 +42,7 @@ server {
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    # Logging
    access_log /var/log/nginx/vault.novicelab.io_access.log json_combined;
@@ -66,8 +51,8 @@ server {
    # set $vault_backend vaultwarden:443;
    location / {
        # proxy_pass http://$vault_backend;
        proxy_pass http://vault_backend;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,9 @@ services:
      - "443:443"
    volumes:
      - ./data/nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./data/conf.d:/etc/nginx/conf.d:ro
+      # - ./data/conf.d:/etc/nginx/conf.d:ro
      - ./data/sites-available:/etc/nginx/sites-available
      - ./data/sites-enabled:/etc/nginx/sites-enabled
      - ./data/logs:/var/log/nginx
      - ./data/public:/usr/share/nginx/html:rw
      - ./certbot/conf:/etc/letsencrypt
Author	SHA1	Message	Date
kbrianngeno	693aa12720	Move site configs from conf.d to sites-enabled	2026-03-21 09:53:35 +00:00
kbrianngeno	f4cba30f72	FIX: Track data/sites-available/ & data/sites-enabled/	2026-03-21 09:52:23 +00:00
kbrianngeno	8296b58bd3	Set defaults for directives add_header and proxy_set_header	2026-03-21 09:48:26 +00:00
kbrianngeno	17a8b6bce2	Set low default values for directives Adjust directive values as needed depending on site requirements e.g client_max_body_size 500M in minio.conf while other sites are limited to 1k	2026-03-21 09:35:02 +00:00
kbrianngeno	8d79a452ee	Unmount conf.d, mount sites-available and sites-enabled	2026-03-21 09:33:20 +00:00
kbrianngeno	ba09bd3f7c	Untrack conf.d Configs exist in nginx.conf and site.confs. conf.d contains: - general.conf - gzip - proxy.conf - proxy_buffer, proxy_set_header and proxy_* directives - security.conf - add_header directives	2026-03-21 09:28:08 +00:00